Last modified by messines on 2022/05/25 10:11
From version 5.1
edited by messines
on 2021/03/18 12:17
Change comment: There is no comment for this version
To version 1.1
edited by villemai
on 2020/05/04 16:15
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -1. Registering an OIDC client
1 +Registering an OIDC client
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.messines
1 +XWiki.villemai
Content
... ... @@ -1,34 +13,13 @@
1 -== Must read before starting ==
2 -
3 -It's very important to choose the right type of clients and to understand the various OAuth flows.
4 -
5 -A very good documentation is this one :
6 -
7 -[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8 -
9 -and another one
10 -
11 -[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12 -
13 13  == Creating your OpenID Connect client ==
14 14  
15 -The steps to create an OpenID Connect (OIDC) client are the following:
3 +The steps to create an OpenID Connect client are the following:
16 16  
17 -1. Ask the developer accreditation to be authorize to create client
18 18  1. get an access token from the `developer` client
19 -1. save your registration access token for further modifications of your client
20 20  1. use the token to call the create endpoint
7 +1. save your registration access token for further modifications of your client
21 21  
22 -Note that a Jupyter Notebook notebook is available in the Drive of this collab to help you create and modify your OIDC client. Its name is: **//Managing an OpenID Connect client.ipynb//** [add link]
9 +Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
23 23  
24 -=== Ask for developer accreditation ===
25 -
26 -To be authorize to create an OIDC client you have to be accredited as developer.
27 -
28 -Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
29 -
30 -We will quickly process your request and you will be able to create an OIDC client
31 -
32 32  === Fetching your developer access token ===
33 33  
34 34  Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
... ... @@ -37,8 +37,8 @@
37 37  
38 38  {{code language="bash"}}
39 39  # Gather username and password from user
40 -read -p 'Enter your username: ' clb_dev_username
41 -read -s -p 'Enter your password: ' clb_dev_pwd
19 +echo '\nEnter your username' && read clb_dev_username &&
20 +echo '\nEnter your password' && read -s clb_dev_pwd &&
42 42  
43 43  # Fetch the token
44 44  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
... ... @@ -46,12 +46,12 @@
46 46   -d 'grant_type=password' \
47 47   --data-urlencode "username=${clb_dev_username}" \
48 48   --data-urlencode "password=${clb_dev_pwd}" |
28 +
29 +# Prettify the JSON response
30 +json_pp;
49 49  
50 -# and pretty-print the JSON response
51 -json_pp
52 -
53 53  # Erase the credentials from local variables
54 -clb_dev_pwd=''; clb_dev_username=''
33 +clb_dev_pwd='';clb_dev_username=''
55 55  {{/code}}
56 56  
57 57  The response will be similar to:
... ... @@ -69,7 +69,7 @@
69 69  }
70 70  {{/code}}
71 71  
72 -Store a copy of the "access_token" value. You will need if for the next step.
51 +Copy the "access_token" value, you will need if for the next step.
73 73  
74 74  === Creating the client ===
75 75  
... ... @@ -77,7 +77,7 @@
77 77  
78 78  {{code language="bash"}}
79 79  # Set your developer token
80 -clb_dev_token="eyJhbGci..."
59 +clb_dev_token=...
81 81  
82 82  # Send the creation request
83 83  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
... ... @@ -104,7 +104,7 @@
104 104   }
105 105   }' |
106 106  
107 -# Pretty print the JSON response
86 +# Prettify the JSON response
108 108  json_pp;
109 109  {{/code}}
110 110  
... ... @@ -156,7 +156,7 @@
156 156  
157 157  Among all the attributes, you should securely save:
158 158  
159 -* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls
138 +* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
160 160  * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
161 161  
162 162  === Modifying your client ===
... ... @@ -165,15 +165,14 @@
165 165  
166 166  {{code language="bash"}}
167 167  # Set your registration token and client id
168 -clb_reg_token="eyJhbGciOi..."
169 -clb_client_id="my-awesome-client"
147 +clb_reg_token=...
170 170  
171 -# Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request.
172 -curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \
149 +# Update the client
150 +curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
173 173   -H "Authorization: Bearer ${clb_reg_token}" \
174 174   -H 'Content-Type: application/json' \
175 175   -d '{
176 - "clientId": "'${clb_client_id}'",
154 + "clientId": "my-awesome-client",
177 177   "redirectUris": [
178 178   "/relative/redirect/path",
179 179   "/these/can/use/wildcards/*",
... ... @@ -181,13 +181,15 @@
181 181   ]
182 182   }' |
183 183  
184 -# Pretty print the JSON response
185 -json_pp
186 -
162 +# Prettify the JSON response
163 +json_pp;
187 187  {{/code}}
188 188  
189 189   Note that your need to provide your client id both in the endpoint URL and within the body of the request.
190 190  
191 191  {{warning}}
192 -**⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  **
169 +/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
193 193  {{/warning}}
171 +
172 +(% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
173 +
Table of content